tcpdump/tcptrace

Quick Summary:

Sample Use:

tcpdump -i ethN -s 100 -w /tmp/tcpdump.out host hostname
tcptrace -Sl /tmp/tcpdump.out
xplot /tmp/a2b_tsg.xpl

Details

TCP hides performance related details from the user.   The act of capturing packets from a test, through tools like tcpdump, can reveal all of the nuances of a particular data transfer such as the behavior of the data and acknowledgment stream (and if duplication, retransmission, or packet ordering issues have occurred) as well as behavior related to the window advertisement procedure.  After a packet trace is captured between hosts participating in a performance test, tools such as tcptrace can be used to analyze the behavior of the flow.  In addition to printing a summary of behavior, tcptrace can output files suitable for use with the xplot tool.

The following sections outline use of these tools in debugging network problems. 

tcpdump

Tcpdump is an application designed to capture packets.  Normally the packet headers are all that is needed for performance analysis. By reducing the "snapshot length" (-s flag) we can reduce the portion of the packet we capture and save on disk I/O - this is often critical to loss-free packet capture since perfSONAR hosts are often built without high-performance disk subsystems. Specifying a snapshot length of 0 will capture the entire packet, in contrast to the snapshot length of 100 bytes specified in the examples on this page (here we are interested in capturing the headers for performance analysis). Tcpdump is designed to run on a target interface, and is flexible enough to accept patterns to help capture only the ports and destinations that are of interest.  Tcpdump requires that the interface be placed into promiscuous mode, it is necessary to use this tool as the root use or via mechanisms like sudo.  Example use cases appear below:

Capture all traffic from specific host (incoming and outgoing) on target interface (eth0) and store it in file /tmp/tcpdump.out

sudo tcpdump –i eth0 -s 100 host 192.168.0.1 -w /tmp/tcpdump.out

Note that /tmp is often a faster file system, and so its a good place to write the dump file.

sudo tcpdump –i eth0 -s 100 port 5001 -w /tmp/tcpdump.out

A good tutorial on tcpdump can be found here.

tcptrace

Tcpdump captures packets according to specific filters,  while the tcptrace tool is used to analyze the data and output succinct summaries.  Tcptrace will analyze a complete dump file (e.g. output the contents of the tcpdump into a file with the '-F' option), and will categorize the output into distinct flow summaries if there are multiple flows in the trace.  There are options to view the summaries, as well as produce files that can be viewed through the xplot viewer.  The end goal is to identify the behavior of a specific flow for a given dump file, and be able to make judgements on the flow of the data and acknowledgements.  Example use cases appear below:

Output "long" analysis  with congestion window information for target dump file

tcptrace –lW ~/dump.dmp

Generate all graphs for target dump file

tcptrace –G ~/dump.dmp

Note that with the later use, there are a couple of graph types that will be created for each source/destination flow in the dump file:

• Time Sequence Graph (TSG)
• Throughput Graph (TPUT)
• RTT Graph (RTT)
• Outstanding Data Graph (OWIN)
• Segment Size Graph (SSIZE)
• Time-Line Graph (TLINE)

The TSG graph is normally the most useful output to analyze further, as it contains an ordered graph of events (retransmissions, losses, duplicate acknowledgements) for the specific flow.

Additional information can be found in the tcptrace manual: http://www.tcptrace.org/manual/index.html

xplot

Xplot is a visualization tool for plotting complex data sets, and is available as a a package for linux and OS X systems (via mac ports).  Xplot is able to support multiple plots on a single graph, has the ability to arbitrarily color and annotate plot points, and allows for click/drag/zoom support.  Example use cases appear below:

Display graph generated from tcptrace (‘-G option over target dumpfile’). 

xplot graph.xpl 

Open 2 graphs, use a common ‘y’ axis (assists with seeing a relative slope for ‘throughput’)

xplot -y ’yrange’ graph1.xpl graph2.xpl 

Additional information can be found in the tcptrace manual: http://www.tcptrace.org/manual/index.html